debugging a non-secure app (with tfm)

RE: debugging a non-secure app (with tfm)

Monkeytronics — Tue, 11 Nov 2025 05:21:29 GMT

Hey there, I don't quite follow what the resolution was here. Could you spell it out a bit more clearly for us dullards at the back?

I've got an app which has TFM enabled. If I debug it, it hangs at the reset_handler(). I've opened the debug console and typed in "-exec mon reset" and then continued the debug , but it just go off into nowhere land, and never reaches my main function.

This is my first project with this ecosystem, so all a bit new. Would it be valid to revert to non _ns board files disable the TFM and complete the development cycle. And then create a little script to convert the source over to use TFM? Or is this a naive notion?

RE: debugging a non-secure app (with tfm)

randomdude — Mon, 08 Aug 2022 10:54:47 GMT

Dude! That was it! Actually, that was all there was to it.

Thank you so much!

RE: debugging a non-secure app (with tfm)

dejans — Mon, 08 Aug 2022 09:28:01 GMT

Hi,

The reset is done inside "west debug", after the breakpoint is set. First, you have "break main" and "continue", followed by "mon reset" and "continue", it should break into main.

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

randomdude — Fri, 05 Aug 2022 12:39:26 GMT

I've switched to Zephyr toolchain version 0.14.1, but It makes no difference.

[quote userid="111786" url="~/f/nordic-q-a/89861/debugging-a-non-secure-app-with-tfm/377338"]Crypto sample requires target reset.[/quote]

What exactly did you mean by that? Do I have to reset the target manually? If so, when and how? I thought, the target reset would be executed automatically by whatever 'west flash' or 'west debug' did behind the scenes.

RE: debugging a non-secure app (with tfm)

dejans — Wed, 03 Aug 2022 13:38:38 GMT

Hi,

The toolchain provided by Zephyr is set of tools to help in building and debugging. You should use Zephyr toolchain version 0.14.1 instead of 0.14.2.

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

randomdude — Wed, 03 Aug 2022 11:33:15 GMT

Still not sure about the terminology. As I understand it, there are two parts to Zephyr. The Zephyr-RTOS source files which are shipped with the nrf connect SDK, and the toolchain, which gets installed in /opt or ~, or wherever. I was using the Zephyr SDK that comes with the nrf connect SDK from the main branch and zephyr toolchain 0.14.2.

RE: debugging a non-secure app (with tfm)

dejans — Wed, 03 Aug 2022 07:28:31 GMT

Hi,

I am referring to psa_crypto sample. Which Zephyr version did you use when building your sample?

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

randomdude — Tue, 02 Aug 2022 15:36:08 GMT

Hi,

which crypto sample are you referring to, exactly? I have done a fresh install of the main branch of the nrf connect SDK and built the psa_crypto sample in zephyr/samples/tfm_integration, but debugging still fails the same way it did before.

One thing I didn't realize before is that I was using two different zephyr flavors, vanilla and the one that comes with the nrf connect SDK. Not sure if that makes much of a difference in this case, though.

RE: debugging a non-secure app (with tfm)

dejans — Mon, 18 Jul 2022 07:39:40 GMT

Hi,

You could now test the crypto sample from the main branch with build command "west build -b nrf9160dk_nrf9160_ns@your_revision_number", where your_revision_number is revision number of the board. Crypto sample requires target reset.

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

dejans — Thu, 14 Jul 2022 13:51:53 GMT

Hi,

I have asked internally. I'll get back to you during next week when I get new information.

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

randomdude — Wed, 13 Jul 2022 14:30:05 GMT

I added the symbols you suggested, but regrettably it didn't help that much. Anything else I might me missing?

devzone.nordicsemi.com/.../debug_5F00_psa_5F00_sample_5F00_3.1.0_5F00_with_5F00_tfm_5F00_symbols.txt

RE: debugging a non-secure app (with tfm)

dejans — Wed, 13 Jul 2022 12:05:33 GMT

Hi,

The reason that debugging was successful with Zephyr 2.7.99 is that "west debug" only adds symbols for Zephyr application, but not for TF-M. Blinky application with Zephyr 2.7.99 _ns worked well as it uses SPM instead of TF-M. If you want to add TF-M application to the "west debug", you would need to create a file called ".gdbinit" and add TF-M elf file there, as shown below

add-symbol-file build/tfm/bin/tfm_s.elf

Unfortunately, this addition of TF-M elf file is currently not supported in west, but it is expected to be supported in one of the future versions of west.

You could consider using Zephyr 3.1.99 when it reaches main or use available upmerge pull requests shown below
https://github.com/nrfconnect/sdk-nrf/pull/8056
https://github.com/nrfconnect/sdk-zephyr/pull/838

Best regards,
Dejan

RE: debugging a non-secure app (with tfm)

randomdude — Tue, 12 Jul 2022 16:19:11 GMT

I have attached gdb session logs for the following scenarios:

blinky built with zephyr 3.1.0 w/o ns --> works
blinky built with zephyr 3.1.0 with ns --> hangs on the first "continue"
blinky built with zephyr 2.7.99 with ns --> works
psa_crypto sample built with zephyr 3.1.0 (ns mandatory) --> jumps to unknown memory

The main difference (apart from the memory locations) I spotted was that the psa_crypto sample and the 3.1.0-ns-blinky use tfm, while the 2.7.99-ns-blinky uses spm, and the blinky built without the '_ns' uses neither.

So the plot thickens. All this points to my earlier suspicion that it might not be possible at all to debug a tfm application beyond the bootloader.

devzone.nordicsemi.com/.../debug_5F00_blinky_5F00_3.1.0.txt devzone.nordicsemi.com/.../debug_5F00_blinky_5F00_ns_5F00_2.7.99_2D00_ncs_2D00_1.txt

devzone.nordicsemi.com/.../debug_5F00_blinky_5F00_ns_5F00_3.1.0.txt

devzone.nordicsemi.com/.../debug_5F00_psa_5F00_sample_5F00_3.1.0.txt

RE: debugging a non-secure app (with tfm)

dejans — Tue, 12 Jul 2022 13:38:32 GMT

Hi,

Can you show how do you run "west debug" command?
Can you show the differences when running "west debug" with blinky and psa_crypto?

Best regards,
Dejan